In other words, someone forgot about the images. Nice. :) And no mention of a public fix either.
From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of Sutha Thavaratnarajah Sent: Sunday, 26 October 2014 7:51 AM To: ozmoss@ozmoss.com Subject: RE: Yammer web part. Hello all, I got a response from Microsoft regarding the issue. I like to share with you all as seems many of us using this web part. here is there response. ========================================= In late 2013, we identified a potential security vulnerability in the architecture of the Yammer for SharePoint 2010 web-part. The web-part was routing its cross-domain requests to Yammer through an Adobe Flash proxy which was using a local security policy file. The request to the local policy file enables Yammer to essentially whitelist any domain. This is a vulnerability because if an attacker is aware of this mechanism, s/he can make requests to arbitrary Yammer urls and scrape content. We fixed this security vulnerability by removing the flash proxy thereby routing those calls to Yammer APIs through SharePoint servers. The authentication now happens at the SharePoint server, thus preventing any cross-site request forgery attacks. A bug was later filed about images failing to render in the feed due to the image request not being routed through the SharePoint servers; ergo, Yammer has no means to authenticate the request. The images not being rendered in the feed is in fact the right behaviour as it is preventing unauthorized requests to Yammer image urls. Fixing this bug would mean routing the image requests through SharePoint servers and authenticating them similar to other feed content. It is not possible to roll-back the service to the previous state as this reintroduces a high security risk. It is also not possible to make a private fix since the change was made at a service level and cannot be undone to a specific customer/ Yammer network. ===================================================== thanks all. Regards Sutha Thavaratnarajah ________________________________ From: sutha1...@hotmail.com<mailto:sutha1...@hotmail.com> To: ozmoss@ozmoss.com<mailto:ozmoss@ozmoss.com> Subject: RE: Yammer web part. Date: Tue, 14 Oct 2014 12:18:47 +1100 thanks for effort to find a solution. Same domain. seems they tighten the security for images. Few other people have similar issue. not sure, how they resolved. http://community.office365.com/en-us/f/176/t/227685.aspx Sutha. ________________________________ From: p.no...@keller.com.au<mailto:p.no...@keller.com.au> To: ozmoss@ozmoss.com<mailto:ozmoss@ozmoss.com> Subject: RE: Yammer web part. Date: Tue, 14 Oct 2014 01:15:20 +0000 I'm out of ideas. Seems bizarre that text loads and you can reply but the images give a 401. Is there anything different about the image location? Same domain and permissions? From: ozmoss-boun...@ozmoss.com<mailto:ozmoss-boun...@ozmoss.com> [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of Sutha Thavaratnarajah Sent: Tuesday, 14 October 2014 12:06 PM To: ozMOSS Subject: RE: Yammer web part. Hi Paul, answer is yes for all of your questions. :) But still no luck. sutha. ________________________________ From: p.no...@keller.com.au<mailto:p.no...@keller.com.au> To: ozmoss@ozmoss.com<mailto:ozmoss@ozmoss.com> Subject: RE: Yammer web part. Date: Tue, 14 Oct 2014 00:58:50 +0000 * Do you have Yammer for SharePoint 2010 3.1.4 and deployed SSO for your SharePoint environment? yes. * Does the web part load the images correctly if you're logged into Yammer in another tab? yes. * Does the Activity Stream Token you're using have full access to the content?yes. * Have you tried adding Yammer to trusted sites?yes. Regards, Paul From: ozmoss-boun...@ozmoss.com<mailto:ozmoss-boun...@ozmoss.com> [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of Sutha Thavaratnarajah Sent: Tuesday, 14 October 2014 11:33 AM To: ozmoss@ozmoss.com<mailto:ozmoss@ozmoss.com> Subject: RE: Yammer web part. Hi Nigel, I am using OOB, I am not able to see the images only. all other components ok. I notice few things. https://www.yammer.com/api/v1/oauth/tokens.json?access_token=xxxxWGLk8mv8nFUM9Ykw HTTPS GET 401 text/html https://www.yammer.com/api/v1/uploaded_files/24962470/version/xxxx47819/thumbnail HTTPS GET 401 text/html also, If I login to yammer and then open SharePoint , makes the images visible. Sounds like something not right with authentication tokens? thanks. Sutha. ________________________________ From: nigel_wither...@hotmail.com<mailto:nigel_wither...@hotmail.com> To: ozmoss@ozmoss.com<mailto:ozmoss@ozmoss.com> Subject: RE: Yammer web part. Date: Tue, 14 Oct 2014 00:10:50 +0000 Hey Mate, Our yammer 2010 part is working correctly (displaying images etc.) The original 2010 Yammer web part (which we are still using) is out of support now, and they recommend you use a bunch of javascript to replace it with (presumably hosted in a CEWP). Which are you using? Are you able to request the images directly in the browser, or do you get denied access? 401 is unauthorized - what account is trying to access them? Cheers, Nigel ________________________________ From: sutha1...@hotmail.com<mailto:sutha1...@hotmail.com> To: ozmoss@ozmoss.com<mailto:ozmoss@ozmoss.com> Subject: Yammer web part. Date: Tue, 14 Oct 2014 10:34:56 +1100 Dear All, Yammer web part ( Sharepoint 2010) in our intranet have an issue. Everything is looking fine except for the fact that no posted images are displayed in the Sharepoint. I noticed from the fiddler 401 error on the image request. Could any one guide?thanks. sutha. _______________________________________________ Sponsored by Infotext - Amazing Search for Microsoft SharePoint - http://www.infotext.com/ ozmoss mailing list ozmoss@ozmoss.com<mailto:ozmoss@ozmoss.com> http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss _______________________________________________ Sponsored by Infotext - Amazing Search for Microsoft SharePoint - http://www.infotext.com/ ozmoss mailing list ozmoss@ozmoss.com<mailto:ozmoss@ozmoss.com> http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss The content of this email is confidential to the intended recipient at the email address to which it has been addressed. It may not be disclosed to, or used by, anyone other than this addressee, nor may it be copied in any way. If received in error, please contact the author and then delete the message from your system. Please note that neither Keller Australia nor the sender accepts any responsibility for viruses and it is your responsibility to scan the email and attachments (if any). Visit http://www.keller.com.au/ for more information. ________________________________ This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal ________________________________ _______________________________________________ Sponsored by Infotext - Amazing Search for Microsoft SharePoint - http://www.infotext.com/ ozmoss mailing list ozmoss@ozmoss.com<mailto:ozmoss@ozmoss.com> http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss The content of this email is confidential to the intended recipient at the email address to which it has been addressed. It may not be disclosed to, or used by, anyone other than this addressee, nor may it be copied in any way. If received in error, please contact the author and then delete the message from your system. Please note that neither Keller Australia nor the sender accepts any responsibility for viruses and it is your responsibility to scan the email and attachments (if any). Visit http://www.keller.com.au/ for more information. ________________________________ This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal ________________________________ _______________________________________________ Sponsored by Infotext - Amazing Search for Microsoft SharePoint - http://www.infotext.com/ ozmoss mailing list ozmoss@ozmoss.com<mailto:ozmoss@ozmoss.com> http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss The content of this email is confidential to the intended recipient at the email address to which it has been addressed. It may not be disclosed to, or used by, anyone other than this addressee, nor may it be copied in any way. If received in error, please contact the author and then delete the message from your system. Please note that neither Keller Australia nor the sender accepts any responsibility for viruses and it is your responsibility to scan the email and attachments (if any). Visit http://www.keller.com.au/ for more information. -------------------------------------------------------------------------------- This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal --------------------------------------------------------------------------------
_______________________________________________ Sponsored by Infotext - Amazing Search for Microsoft SharePoint - http://www.infotext.com/ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss
